pagokit

Audit an existing PagoKit integration — gitignore, env vars, key prefixes, webhook secret, raw body, replay protection, idempotency, DB schema, minimum events handled.

Analyze the current project and generate a production-ready payment integration (frontend + backend + webhook + DB + portal + refund).

Send synthetic webhook events to a locally running PagoKit integration (valid signature, invalid signature, replay attempt) to verify the handler responds correctly.

Implements a chosen payment-provider integration in the user's project after payment-advisor finishes the wizard. Receives a structured spec (provider, stack, ORM, deploy target, billing mode, frontend style, language) and generates checkout endpoint, webhook handler with signature verification, DB migrations, customer portal, refund endpoint, error mapper, frontend component, .env.example, plus PAGOKIT_INTEGRATION.md and PAGOKIT_PRODUCTION_CHECKLIST.md as audit trail. Cites SECURITY_RULES on every generated file. Use when payment-advisor completes a recommendation and the user confirms — never invoke this subagent directly without going through /pagokit:start.

Audits an existing PagoKit integration in the current project. Checks .gitignore covers .env, that env vars are present and use test-key prefixes, that the webhook secret looks valid, that the webhook handler verifies signatures, that the minimum events for the integrated provider are routed, and that PAGOKIT_INTEGRATION.md exists. Used by /pagokit:doctor. Read-only — never writes files.

Composes a full vertical payment integration from canonical templates. Called by integration-specialist subagent after the user selects a provider. Loads templates by (provider, stack, ORM, deploy target, billing_mode, frontend_style, use_cases) and emits a coherent file plan that gets written to the user's project. Always cites webhook-verifier and SECURITY_RULES. Phase 1 supports stripe, mercadopago, wompi, lemonsqueezy on Next.js App Router and Express; Phase 2 adds more.

Recommends the single best payment provider for the user's project after a short interactive wizard. Used when the user wants to integrate Stripe, Mercado Pago, Wompi, Lemon Squeezy, or compare payment options based on country, currency, recurrence, local payment methods (PIX, OXXO, PSE, Bizum), and product type. Triggered by /pagokit:start. Computes fees in real money for a typical transaction; never exposes numeric scores; always discloses last_verified_at and applicable Phase-1 limitations. Bilingual ES/EN/PT, language inferred from the user's first prompt.

Detects a project's technology stack, framework, deploy target, ORM, primary language, and active payment use cases by reading package.json/pyproject.toml/composer.json/Gemfile, schema files, route files, and deploy configs. Use this skill at the start of any PagoKit flow to ground recommendations in the real project context. Emits a structured detection result for payment-advisor and integration-specialist to consume.

Reference for cryptographic verification of payment webhooks. Cited by integration-specialist whenever it generates a webhook handler. Documents per-provider signature algorithms, timestamp tolerances, replay-protection strategies, raw-body capture per stack, and the minimum set of events each handler must route. Always use this skill (instead of recalling from training data) — webhook verification is where the integration goes silently wrong.

3 hooks across 3 events